Posted
by
BeauHDon Monday May 09, 2016 @05:20PM
from the key-to-understanding dept.

coondoggie quotes a report from Networkworld: The Federal Trade Commission today said it issued a 10-page letter to eight leading players in the mobile communications arena requiring them to tell the agency how they issue security updates to address vulnerabilities in smartphones, tablets, and other mobile devices. Apple, BlackBerry, Google, HTC America, LG Electronics, Microsoft, Motorola Mobility, and Samsung must provide the following: The factors that they consider in deciding whether to patch a vulnerability on a particular mobile device, detailed data on the specific mobile devices they have offered for sale to consumers since August 2013, the vulnerabilities that have affected those devices, and whether and when the company patched such vulnerabilities.

Don’t buy phones that are locked to the carrier’s update schedule. Spend a little more and get something you can patch on your own terms.

Or only buy devices that have active development going on on xda-developers.com including multiple and frequently-updated ROMs, or are actively supported by one of the large alternative ROM creators such as Cyanogen, Resurrection, Pac, Slim, etc.

Personally I like the slightly older Samsung devices with some of the cool backport ROMs.

What if you never connect your phone to a mobile network and use it WiFi only*? At least my manufacturer provides updates by regular Internet that I can access by Wifi. No provider ever knows if my phone is on his network.

* not the most common use case, but people might need a small tablet or don't need mobile internet but want to sync calendar & contacts every 24 hours when they are at home

Yes and no. Even if you are using an unlocked phone, security updates can take utterly ridiculous lengths of time to arrive.

Speaking personally, my unlocked Sony Xperia Z2 running US-market firmware finally received its last patch against the Stagefright exploit on April 12th, 2016, as part of my Marshmallow update released publicly that same day. The exact same patch was provided on the exact same phone running Lollipop in other regions as early as 27th November 2015, and there were no carriers involved

I agree with your assessment in how things should be made more simplified in that the updates should come from Google. There's a problem, however, in that to my knowledge the drivers are tightly coupled with the kernel. They do this for both performance and because that is the way the Linux kernel is. You run into the same issues on desktop Linux systems where installing NVidia drivers requires a patch and shim to load a binary blob.

It is high time that Google took Android back in-house, and required manufacturers to add their glossy, bloatware overlays as user-removable apps which sit on top of the OS. OS-level updates should then be sourced not from the manufacturer or the carrier, but from Google themselves. That would instantly solve the problem, while allowing manufacturers to provide the differentiation they foolishly believe us to want. (And for those of us who'd rather have a stock experience, we could get rid of all the manufacturer crapware and have a swiftly-operating phone with regular security updates.)

Yes, but will never come as

a) what Google delivers as "Android" won't be running on any device as there are specific additions and changes necessary to get it to run on a specific hardware, that need to be provided and integrated by the hardware manufacturer

b) Google is already in hot waters [heise.de] for abusing a de-facto monopoly and hindering competition between cellphone manufacturers by already making to much software descicions for android phone manufacturers. (or the slashdot [slashdot.org] article)

a) those addons and changes can still be made by the manufacturer -- just separately from how the OS itself is delivered. You know, exactly what happens on numerous other platforms already, and has for decades.
b) Google would be in no hotter water if it took on the updating. They're only in hot water in places where it matters -- such as giving themselves an advantage with their preinstalled browser, preinstalled search boxes, etc. The manufacturers would almost certainly prefer it too, actually, in the l

Carriers and/or OEMs who abandon phones within 5 years of introduction should be compelled to release any signing keys that they used to lock bootloaders.

If Verizon wants to create a walled garden with locked bootloaders, then they have a responsibility to maintain it. Any devices that do not receive quarterly security patches should be forced open, allowing Cyanogenmod (et al) to become an option for security fixes. Novice users can then use third party security support, and power users can wipe Verizon's

My EU retail version Moto X 2nd Gen is still on the "Android security patch level" 1 November 2015. That's 6 months old. It's still vulnerable to some of the drive-by remote code execution exploits where simply visiting a website with an embedded video can run arbitrary code.There's 34 critical exploits in the security patches since 1 Nov.

Teaches me for buy a phone from a Google owned company. They then go sell it to Lenovo who then fires half their developers and

Which is correct as they don't have to build their own windows (based on what they get from Microsoft) to get it to run on the machines they manufacture. Windows will be running out of the box on any machine that follows "PC" specifications.

There aren't any specifications like this for phones. Phone manufacturers need to build a specific OS for each phone based on what Google delivers as Android. That's exactly why you need the guys from cyanogen et al for: What Google gives out as Android will not be runni

Phone manufacturers can create their own customized launcher and proprietary apps, but besides compiling a custom kernel what else do they do?

Is what they "build" that significant that there cannot be regular updates from Android? Is their any real justification for their extra control?

Why can't it be like the model for Linux distros: The distro creates its own packages and updates. A sysadmin at a company may create their own custom package repository specific to their hardware with for example packa

"compiling a custom kernel"...yes... but after writing and including custom modules and drivers for the hardware used.

The regular linus distros support a handful of processors, that's why a "building a custom kernel" is less more than checking boxes to in- or exclude modules, but you don't have custom hardware that you need write modules for first.

The list of processors supported by Linux - meaning the Linux kernel - is huge [wikipedia.org]. The CPU in my Samsung phone is an ARM, are the vast majority of phones. Samsung does not make the Linux kernel support for the various ARM architectures. It, like virtually every other company, purchases the components to build its devices on the market, devices which are generally supported independently by Linux.

Yes there are mobile manufacturers who do also make their own chips, which puts them in the category of a devi

I mean, Samsung makes a crap ton of phones - in 2014, they released on average 3 Android phones a week! (and a tablet a week, for completelness - it was something like 54 new tablets and 160-ish new phones). In 2015 they scaled it back somewhat. But the vast majority of phones will never get an update from Samsung - ever.

I mean, Samsung's pretty bad by themselves in software updates. You migh

Although your point is well taken, there other other things to consider.

Mobile devices often go unpatched due to the relationship between the carriers and the manufacturer. For example, you may buy a nice shiny Samsung, only to find out that it is not patched for the StageFright bug since the carrier has not vetted these patches yet. This is exacerbated when you bring your own phone over to the network, as they may not even know anything about what patch would work on your device.

Precisely. We're all starting to see the house of cards around centralized security models fall down now. Of course, this was apparent to anyone experienced in the industry, but the thickest amongst us. I've had innumerable arguments with Apple fanboys and shills about how centralized security isn't better, it just creates one massive point of failure. We'll see more and more of this in the coming years. Apple devices will be the easiest to compromise due to their centralized control structure.

What in the Constitution grants the FTC the power to demand this information?

The fact that phones are manufactured in East Asia and sold across state lines for use on networks that communicate across state lines. There's your "commerce with foreign nations, and among the several states" that the Constitution grants the Congress "power [...] to regulate". And the Congress has chosen to exercise this power by creating the FTC and FCC.

Apple: We release updates directly to phones because we control the software and hardware stack

Google: We publish updates to the core OS, Android vendors implement updates. We we release updates to google apps on the play store. Vendors devices access to the play store if they sign a contract with us.

Samsung: We released 56 different phone models in 2014 and it's a pain in the dick updating even the flagships because of all the.. Uhm.. Value added software we load on them.

Now we're all wondering whether you forgot that Microsoft was the final company on the list or their omission was an oblique reference to their relevance in the mobile market and/or how they handle demands from authorities.

Microsoft: With Windows Phone 10 with Bing and Cortana the phones self-update. All the time. You can't stop it even if you want to. Don't like it? Too bad. You'll get 11 too weather you like it or not.

Interesting how Apple is the only one that can comply with an invasive and controlling question, because, well, they're the most invasive, centralized, and controlling among them. Your post implies this is a good thing. Any security researcher, administrator, developer, or technician worth their salary would disagree.

While I'm all in favor of more transparency in security vulnerability and patching processes, I wonder where the FTC gets the authority to order phone manufacturers to disclose this information. Is there some congressional statute they're acting under, or did they just make this up? Do they have unlimited power to require any company that manufactures and sells any product whatsoever to disclose anything they (the FTC) wants, or is there some narrower law they are working under?

The commerce clause, as explained in a reply to AC's comment [slashdot.org].

The commerce clause is part of the Constitution. The Constitution doesn't grant the FTC any authority whatsoever. It grants congress the right to regulate interstate commerce. Congress must then, in turn, grant authority to the FTC. It does so by means of statutes in the United States Code. The FTC doesn't have unlimited power to regulate any and all interstate commerce. So I'm wondering, under which statute do the claim to have the authority to order private companies to disclose security vulnerabili

You know damn well what the reasoning behind this is; it's so the government can have a standing in regulatory compliance in that if a cell phone provider wishes to use the network, it must let the government manage security policy - specifically with regards to encryption. This is nothing more than lining up the opportunity to legally cripple Apple and Google's ability to lockdown their devices to where not even the government can break into them. Don't comply, the you won't be allowed to use the new shiny

In Germany, we only need one agency for this kind of hypocrisy: The "BSI" has _both_ the duty to promote the security of IT _and_ the duty to help with placing trojans on whatever computer the gouvernment wants to spy on. Go figure how much trust people have in advice from BSI...

The FTC, according to the letter, is doing this on the basis of a "resolution." No law. No regulation. Just they _resolved_ it in order to complete a study. They're basically making a willful power grab. I wonder if the manufacturers will bite or fight? I think they should tell them where to stick it.

The FCC or NSA has more authority to do this than the FTC. The NSA through a FISA court order seems the most likely way to grant any legal authority in the matter. This is otherwise a blatant power grab. What t

Maybe the FTC want to make sure those companies aren't being dodgy.Like saying they're selling secure, supported devices when they're not.Not deliberately cutting support for old devices so they can sell more new ones.Not selling devices they never intend to provide security fixes for.

The FCC launched an inquiry [fcc.gov] in partnership with the FTC. I submitted a story to slashdot on the FCC inquiry, yet somehow this is what we get.

Regardless, this is a big story, as the way security patches have been handled -- or more preciesly ignored by the carriers and manufacturers -- has become a huge problem. We're talking millions of vulnerable internet-connected mobile devices out there which, the way things are now, will never get patches for severe exploits like Stagefright.

Most people who use cell phones in the US are totally unaware of the certification process in place for those phones.

The main game in town is PTCRB. This makes up most of the GSM/UMTS and LTE carriers in the US and Canada. Verizon has their own program, which by and large follows GCF, the European counterpart to PTCRB, but based on open standards. Though, VzW mixes in proprietary standards.